MagicDX

Theme

Magic-Sessionmanager — Troubleshooting

Sessions not appearing in dashboard

Checklist:

  1. Plugin is enabled in config/plugins.ts and rebuilt?
  2. Dashboard accessible via Sessions in admin sidebar?
  3. New logins create records. Old users already logged in (before install) won't have sessions until they log in again.
  4. If using Magic-Link + Magic-Sessionmanager: ensure both are enabled. Magic-Link auth creates sessions automatically.
  5. If using password auth: verify your auth middleware calls sessions.create (Magic-Sessionmanager does this automatically for /api/auth/local).

Force logout does not actually log the user out

Symptoms: admin clicks "Terminate" but user can still make API calls.

Causes:

  1. Refresh token not blocked — verify the plugin is loaded and the sessions.isBlocked() check runs in your auth middleware.
  2. Frontend caches the JWT — the JWT itself is still valid until it expires naturally. Force logout invalidates the refresh token, so user can continue using the current JWT until expiry but cannot refresh.
  3. Set a short JWT expiry (JWT_TOKEN_EXPIRATION=900 = 15 min) for effective force-logout.
  4. Use a cookie-based flow — set JWT as HttpOnly cookie and clear it on logout. Then refresh token is the only session identifier.

Geolocation is blank

Checks:

  • Tier — geolocation requires Premium or Advanced.
  • License activated — check admin → Sessions → License.
  • IP is private — RFC 1918 addresses (10.x, 192.168.x) correctly return null.
  • Database file existsnode_modules/strapi-plugin-magic-sessionmanager/data/GeoLite2-City.mmdb.
  • Check logs for geolocation: database not found.

Fix for custom database:

typescript
'magic-sessionmanager': {
  config: {
    geolocation: {
      databasePath: '/absolute/path/to/GeoLite2-City.mmdb',
    },
  },
},

VPN detection says "No VPN" but you know the user is using one

IP classification databases lag behind new VPN endpoints by days/weeks. Options:

  1. Use the isDatacenter flag — most commercial VPNs operate from datacenter IPs. Enable autoBlock.blockDatacenter for stricter rule.
  2. Threat score — VPN alone may not trigger but combined with other flags (new country, user-agent anomaly) the threat score often catches them.
  3. Update the database — for critical accuracy, use a paid service like MaxMind GeoIP2.

Redis connection errors 

Error: Redis connection refused

Fix:

  • Verify REDIS_URL is correct and Redis is running.
  • Test connection: redis-cli -u $REDIS_URL PING should return PONG.
  • If Redis is optional for you, unset REDIS_URL — the plugin falls back to database-only tracking.

Encryption key errors 

Error: Unable to decrypt session token

Cause: SESSION_ENCRYPTION_KEY changed since sessions were encrypted.

Fix:

  • Restore the original key from backup.
  • If not possible, clear the sessions table (users will need to log in again):
sql
DELETE FROM magic_sessionmanager_sessions;

To prevent in future:

  • Store the key in a secrets manager (AWS Secrets Manager, Vault, 1Password).
  • Include it in your deployment rotation runbook.

High memory usage

Cause: too many sessions retained in memory for fast lookup.

Fix:

  • Lower terminatedRetentionDays (default 30 → try 7).
  • Enable Redis to offload session state.
  • Ensure auto-cleanup cron is running (strapi.log.info at midnight).

Alerts not firing

  1. Check trigger conditions — open admin → Settings → Alerts → Test button.
  2. Email alerts: Magic-Mail or email provider must be configured.
  3. Webhook: test the URL with curl -X POST <url> to confirm it's reachable.
  4. Check Strapi logs for webhook delivery errors.

Enable debug mode

bash
DEBUG=magic-sessionmanager:* npm run develop

Logs every session create / update / terminate, threat scoring step, alert evaluation.

Still stuck?